The Internet Connection

How the Sony hack affects Boise media and businesses

They're known only as as Guardians of Peace and within hours of their Nov. 24 cyber raid of files on Sony Pictures Entertainment's computer network, their name—though not their identities—were known the world over. During the following weeks the hacker, or hackers, now believed to be connected with North Korea, disseminated unreleased Sony Films, which quickly became popular on torrent download sites. The breach also included leaked internal emails and executive salaries, as well as the Social Security numbers of 47,000 current and former Sony employees. Leaked holiday releases Annie, Mr. Turner and Still Alice have been downloaded tens of thousands of times.

The fiasco made for a rollicking story in the press, which dwelled on the most salacious aspects of the leaks, like Sony executives' email exchanges about celebrities (whose Social Security numbers had also been compromised), which included damning details about pay discrepancies between male and female stars. Sony scuttled the planned Christmas Day release of The Interview, starring James Franco and Seth Rogen as two reporters who assassinate North Korean dictator Kim Jong-un, in the face of terror threats, while everyone from President Barack Obama to screenwriter Aaron Sorkin took to the airwaves to chide the studio for cowardice (in the case of the former) and (in the case of the latter) the news media for fanning the flames. Sony later restored the film's Christmas Day opening.

The whole affair, from the questions it raises about companies' electronic security to complaints about the journalistic ethics of reporting about stolen electronic property, is a cause for concern among media, cyber security and legal experts in Boise.

"In an age where all that matters is clicks and profits, nobody wants to be left out of the game. My question is, 'What public interest do [these reports] serve?'" said Seth Ashley, Boise State University journalism professor and Arbiter faculty adviser. "Publishing email addresses and medical records doesn't serve any public benefit."

"As demented and criminal as it is, at least the hackers are doing it for a cause. The press is doing it for a nickel," Sorkin wrote.

Ashley worried that there were items of public interest the national news media ignored or marginalized when it reported on racist private emails about President Obama's movie preferences, or what Sony executives think about Angelina Jolie and Leonardo DiCaprio (spoiler alert: They think they're spoiled).

"The attention paid to the Sony hack so far seems to represent an ongoing obsession with gossip and trivia at the expense of socially significant matters," Ashley wrote in an email. "There's a huge opportunity cost here."

But Ashley also said that corporations like Sony have become adept at controlling information and messaging, making it harder for journalists to report ethically, while increasing the pressure reporters are under to produce attention-grabbing stories. He said as faculty adviser to the Arbiter, he has occasionally experienced this firsthand as student journalists report on Boise State issues.

But while the barriers between journalists and newsworthy information have hardened, the barriers between hackers and that same information remain fluid. The government, as well as companies that store potentially sensitive information on computer networks hire cyber security specialists and erect tougher roadblocks for hackers, but according to Don Bush, vice president of marketing at Boise-based transaction security firm Kount, those measures aren't always enough.

"Nobody likes their data to be exposed, but there really isn't a 100-percent secure system," he said.

Kount authenticates electronic financial transactions, and clients like Staples rely on Kount to process thousands of online transactions in which neither the cardholder nor credit (or debit) card is present at the time of purchase. If a credit card hails from Boise but the Internet Protocol address of the computer that used that card to make a purchase is traced to somewhere else, that's usually a sign of attempted fraud. To combat this kind of fraud, many companies keep databases of valid IP addresses to match electronic money transfers with known computers. But as hackers' sophistication grows, measures like these aren't promises of security.

"These fraudsters have gotten much more sophisticated. They're faster; they're more networked," Bush said. "In the case of something like Sony, there are so many different ways to pull information off. There could be a disgruntled employee, there could be not very good security. They're going to get a pretty big black eye about this."

Making that black eye a little blacker has been a slew of class-action lawsuits for breached employee data, citing laws like the California Online Privacy Protection Act, the California Data Breach Act and the California Confidentiality of Medical Information Act. If the personal information about a single California resident is obtained electronically by a company, one or more of these laws may apply. According to Boise-based new media attorney Lisa McGrath, Boise companies have been slow to comply with these laws.

"With my clients, there has been little in the way of compliance in place. It's a relatively new issue," McGrath said.

Part of McGrath's area of expertise is helping local companies comply with new rules regarding electronically stored data; but often, she said, there's little in the way of existing protections, legal or technological, for Boise companies, which have a lot to lose. Laws governing how personal information is collected have already been used against one Idaho company, Goldenshores Technologies, LLC, which inappropriately used its free Android application "Brightest Flashlight Free" to collect personal information about users without proper authorization. It settled for an undisclosed amount with the Federal Trade Commission in December 2013.

"It's something I don't think [Boise companies are] fully aware of," she said. "There's all different kinds of hacking and reasons behind it. I'm sitting down and going over the privacy laws within companies. Just on that side, it's really been like there isn't anything in place."